Network Management: Concepts and Practice, a HandsOn Approach by J' Richard Burke Publisher: Prentic

1
Network Management Concepts and Practice, a
Hands-On Approach by J. Richard
BurkePublisher Prentice Hall Chapter 6
SNMP
2
Components of a TCP/IP-based Network Management
System
Communication architecture
3
SNMP Packet
  The SNMPv1 Packet

• Version 0 for version 1
• Both the management station and management agent
  must use the same version of SNMP otherwise
  frames will be discarded
• Community name
• An SNMP password
• Management stations and management agents must
  use community names that match otherwise frames
  will be discarded
• The SNMP community name is NOT encripted
• Protocol Data Unit (PDU)
• Indicates SNMP operation and variable bindings

4
SNMP commands

• Get-Request (0) request one or more values from
  a management agent
• Get-Next-Request (1) request the value of the
  next lexicographically larger object identifier
  in a MIB tree given the present object identifier
• If used repeatedly, it allows the management
  station to walk the entire MIB tree to get the
  values of all variables without specifying the
  object identifiers of any variables.
• Get-Response (2) a response from the management
  agent to the management station supplying the
  requested value(s)
• Set-Request (3) sets a value in the management
  agent MIB
• Trap (4) a message from a management agent to a
  management station that is initiated by an
  alarm/event pair on the management agent
• To inform the management station of events that
  may require action by a network manager.

5
SNMP PDU Format

• GetRequest, GetNextRequest, GetResponse, and
  SetRequest PDUs

• Request ID an integer used to correlate
  requests and responses
• Error Status
• When the PDU is a request from the management
  station, the Error status field has the value
  zero
• In the Get-Response messages, it is used by the
  management agent to inform the management station
  that the PDU was either received correctly or
  that an exception occurred

6
SNMP PDU Error Status

• Error Status
• 0 noError
• 1 tooBig, A Too Big error is encountered most
  often when a GetNextRequest operation retrieves a
  large amount of data that cannot fit into a
  single SNMP message
• 2 noSuchName, there is no such object with this
  name
• 3 badValue, the incoming Set operation
  specified the incorrect syntax or value
• 4 readOnly, a SetRequest operation tried to
  modify a variable that is not included in the
  SNMP community profile used for the operation
• 5 genErr, an error that does not fit any of the
  four specific error types

7
SNMP PDU Error Index

• Error Index
• an integer, starts with one, in the Get-Response
  message, which specifies the first variable in
  the VarBindList that caused an error
• When the PDU is a request from the management
  station, the Error Index field has the value zero

8
SNMP PDU VarBindList

• VarBindList a list of variable ID and variable
  value pairs
• Variable ID contains the Object Identifier of the
  variable defined in the Structure of Management
  Information (SMI) specification
• Variable Value contains the value of the variable

9
Trap SNMP PDU Format

• Trap PDU

• Enterprise contains an object identifier,
  defined by an authorized vendor, for the device
  subsystem that created the trap message
• Agent Address is the IP address of the network
  device
• Generic Trap Number contains an integer
  representing one of seven traps defined in SNMP
  RFC 1157
• Specific Trap Number contains a code defined in
  a proprietary MIB
• Time Stamp contains the time in 1/100ths of a
  second since the agent on the device was
  initialized
• VarBindList may contain one or more variable
  bindings that are sent along with the trap message

10
SNMP PDU -- Trap

• Generic Trap Number
• coldStart(0)
• warmStart(1)
• linkDown(2)
• linkUp(3)
• authenticationFailure(4)
• egpNeighborLoss(5)
• enterpriseSpecific(6)

11
Structure of Management Information (SMI) MIB
Hierarchical tree structure
12
Structure of Management Information (SMI) MIB

• The nodes are labeled except for the root
• Each label consists of a non-negative integer
  value and possibly a brief textual description
• Children nodes are termed subordinates or
  sub-identifiers

13
Structure of Management Information (SMI) MIB

• The root node has three subordinates
• ccitt(0) -- administered by the International
  Telegraph and Telephone Consultative Committee
  (CCITT)
• iso(1) -- administered by the International
  Organization for Standardization and
  International Electrotechnical Committee
  (ISO/IEC)
• joint-iso-ccitt(2) -- jointly administered by
  ISO/IEC and CCITT

14
Structure of Management Information (SMI) MIB

• In the management framework, only the iso(1)
  subtree is of interest
• ISO/IEC has defined four subordinates
• standard(0) -- has a subordinate assigned to each
  International Standard
• registration-authority(1) -- reserved for used by
  OSI registration authorities
• member-body(2) -- has a subordinate assigned to
  each member body of ISO/IEC
• identified-organization(3) -- has a subordinate
  assigned to any organization that ISO/IEC wishes
  to favor

15
Structure of Management Information (SMI) MIB
MIB object
16
Structure of Management Information (SMI) MIB

• Object identifier
• Object identifier
• a sequence of non-negative integer values that
  traverse a tree
• The most concise textual format for describing an
  OBJECT IDENTIFIER e.g...., 1.0.8751.5.1

17
Structure of Management Information (SMI) MIB
MIB Table
18
MIB Table

• ipRouteTable
• 1.3.6.1.2.1.4.21

19
SNMP Command and Arguments
Identifying an object instance

• The instance of a simple object is indicated by
  appending .0
• Example GetRequest (sysDescr.0)
• An instance in a table is identified by appending
  the index instance(s) for the desired row
• Example GetRequest (ipRouteNextHop.10.3.4.5)
• Only cells in a table are accessible
• A table and a row of a table are not accessible

20
SNMP Command and Arguments

• GetNextRequest retrieve the next object in
  lexicographical order
• sysDescr.0 is the next object after the invalid
  sysDescr object
• sysDescr 1.3.6.1.2.1,1,1
  (invalid instance)
• sysDescr.0 1.3.6.1.2.1.1.1.0
• sysObjectID 1.3.6.1.2.1.1.2
  (invalid instance)
• sysObjectID.0 1.3.6.1.2.1.1.2.0
• Consider the command
• GetNextRequest(sysDescr, sysObjectID,
  sysUpTime)
• The GetResponse to this command should be
• GetResponse(sysDescr.0value,
  sysObjectID.0value, sysUpTime.0value)
• GetNextRequest can be used to obtain all values
  in a MIB in lexicographical order

21
SNMP Command and Arguments

• SetRequest used to write the value of an object
  
• Consider the command
• SetRequest(sysContact.0 name)
• The response to this command would be
• GetResponse(sysContact.0 name)

22
Security

• A management station usually manages many objects
• An object may be managed by several management
  stations
• Each managed device must be able to control the
  use of its MIB by a number of distinct management
  stations
• There are two aspects in this control
• Authentication service authentication of manager
• Access policy different privileges to different
  managers

23
Authentication

• SNMP provides for only a trivial scheme for
  authentication
• Every message from a management station includes
  a community name
• It functions as a password
• With this limited form of authentication, many
  network manager will be reluctant to allow
  anything other than network monitoring (get and
  trap)

24
Communities

• A SNMP community is a relationship between an
  SNMP agent and a set of SNMP managers that define
  authentication and access control characteristics
• The community concept is a local one defined at
  the managed device
• The managed device establishes one community for
  each desired combination of authentication and
  access control characteristics

25
Community Names

• Each community is given a unique (within this
  agent) community name
• The same name may be used by different managed
  devices with different meanings
• The management stations are provided with and
  must employ the community name in all get and set
  operations
• If the community name does not match, the message
  will be discarded
• A management station must keep track of the
  community name(s) associated with each of the
  managed devices that it wishes to access

26
MIB view, access mode, and community profile

• SNMP MIB view a subset of the objects within a
  MIB
• Different MIB views may be defined for each
  community
• The set of objects in a MIB view need not belong
  to a single subtree of the MIB
• SNMP access mode of a community name an element
  of the set READ-ONLY, READ-WRITE
• An access mode is defined for each community
• The combination of a MIB view and an access mode
  is called a community profile

SNMP community profile MIB view SNMP acccess
mode
27
SNMP Community Profile
SNMP community profile MIB view SNMP acccess
mode
28
SNMP Community Profile
SNMP community profile MIB view SNMP acccess
mode
29
SNMP Access Policy

• A pairing of a SNMP community with a SNMP
  community profile is called a SNMP access policy
• Thus, a SNMP access policy is the combination of
  a SNMP community, a MIB view, and an access mode

SNMP access policy SNMP community SNMP
community profile
30
SNMP Access Policy
31
MIB Access

• Each MIB object has its own ACCESS clause
• Not-accessible
• Read-only
• Write-only
• Read-write

32
Resolution of SNMP Access Mode and MIB Access
Use the more restricted access level